Current on FuLoong unable to figure out system type

[Lars Nooden]

Installing current on a Yeeloong went rather smoothly. Fuloong 2F6004 is 
giving a bit more trouble and bsd.rd seems not to be able to identify the 
system type.  What is needed to boot bsd.rd (with serial interface) on the 
FuLoong?


Below is from the 17 feb snapshot.

/Lars



ifaddr rtk0 11.22.33.44
bootp=8000b968

boot tftp://11.22.33.55/bsd.rd
Loading file: tftp://11.22.33.55/bsd.rd (elf)
(elf)
0x8020/7007920 + 0x808aeeb0/481136(z) + 7402 syms\
Unable to figure out model!
Halting system.

===
After messing with the PMON settings

set bsd /bsd
set novga 1
set nokbd 1

the error is a little different, but basically cannot find the system 
type:


ifaddr rtk0 11.22.33.44
bootp=8000b968

boot tftp://11.22.33.55/bsd.rd
Loading file: tftp://11.22.33.55/bsd.rd (elf)
(elf)
0x8020/7007920 + 0x808aeeb0/481136(z) + 7402 syms\

WARNING! CORRUPTED ENVIRONMENT!
Unable to search for systype.
	If the kernel fails to identify the system type, please boot it 
again with '-k' option.

Unable to figure out system type!
Halting system.

Re: Current on FuLoong unable to figure out system type

[Otto Moerbeek]

On Thu, Feb 18, 2010 at 10:47:42AM +0200, Lars Nooden wrote:

 Installing current on a Yeeloong went rather smoothly. Fuloong
 2F6004 is giving a bit more trouble and bsd.rd seems not to be able
 to identify the system type.  What is needed to boot bsd.rd (with
 serial interface) on the FuLoong?
 
 Below is from the 17 feb snapshot.
 
 /Lars
 
 
 
   ifaddr rtk0 11.22.33.44
   bootp=8000b968
 
   boot tftp://11.22.33.55/bsd.rd
   Loading file: tftp://11.22.33.55/bsd.rd (elf)
   (elf)
   0x8020/7007920 + 0x808aeeb0/481136(z) + 7402 syms\
   Unable to figure out model!
   Halting system.
 
 ===
 After messing with the PMON settings
 
   set bsd /bsd
   set novga 1
   set nokbd 1
 
 the error is a little different, but basically cannot find the
 system type:
 
   ifaddr rtk0 11.22.33.44
   bootp=8000b968
 
   boot tftp://11.22.33.55/bsd.rd
   Loading file: tftp://11.22.33.55/bsd.rd (elf)
   (elf)
   0x8020/7007920 + 0x808aeeb0/481136(z) + 7402 syms\
 
   WARNING! CORRUPTED ENVIRONMENT!
   Unable to search for systype.
   If the kernel fails to identify the system type, please boot it
 again with '-k' option.
   Unable to figure out system type!
   Halting system.

Retry with boot -k tftp://..., as suggested by the error message.
Also PMON sometimes gets confused, and a power cycle is needed (using the
reset button is not enough in all cases).

-Otto

Clase - Taller: Terapia de Pareja

[difusion-esa]

Escuela Sistimica Argentina presenta: 

Clase -Taller



Terapia de Pareja 


y Supervisisn de casos clmnicos
===

Miircoles 24 de Febrerode 18.00 a 19.30 y de 19.30 a 21.00 hs.



Coordina: Lic. Fernando Rubano

Actividad aranceladaSe entregaran certificados.

La reserva de vacantes puede ser realizada vma mail o telefsnicamente.

Informes e inscripcisn:

Fray J. S. M. Oro 1843 (C1414DBC) Cap. Fed.
Tel/ Fax: 4774-2875/6112 -  4899-1053i...@escuelasistemica.com.ar

Re: OSPFd on Feb 17th 2010 -current Incompatibilities

[Insan Praja SW]

Hi All,
On Thu, 18 Feb 2010 05:32:43 +0700, Claudio Jeker  
cje...@diehard.n-r-g.com wrote:



On Thu, Feb 18, 2010 at 03:03:34AM +0700, Insan Praja SW wrote:

Hi Misc@,
Recently I updated one of my routers into current. We runs OSPFd as
an IGP for our network. The update went success, but OSPFd wont get
synchronized. On the kernel-updated routers ospfctl sh neig shows:

$ ospfctl sh neig
ID  Pri StateDeadTime Address Iface  
Uptime



on dec 20 kernel routers shows:

$ ospfctl sh nei
ID  Pri StateDeadTime Address Iface  
Uptime

2ab.cde.fgh.229  1   FULL/DR  00:00:31 2ab.cde.fgh.6vlan6
01w2d21h
2ab.cde.fgh.226  1   DOWN/OTHER   00:36:21 2ab.cde.fgh.3vlan6 -
2ab.cde.fgh.227  1   FULL/BCKUP   00:00:31 2ab.cde.fgh.4vlan6
01w2d21h
2ab.cde.fgh.228  1   2-WAY/OTHER  00:00:31 2ab.cde.fgh.5vlan6 -

The router-ids are their loopback interfaces. Below are their configs.



Did you run ospfd -dvv on the box that is not working? Is there any info
in the log? My ospfd's are quite happy at the moment. Few old ones, for
non openbsd ones and a few -current ones.



With the ospfd -dvv I finally found the problem.


$ sudo ospfd -dvv
password = secret
warning: macro 'password' not used
startup
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vlan6
if_fsm: event UP resulted in action START and changing state for interface  
vlan6 from DOWN to WAIT

orig_asext_lsa: 1ab.cde.fg.240/30 age 0
orig_asext_lsa: 1hi.jkl.mn.196/30 age 0
orig_asext_lsa: 1op.qrs.tuv.112/30 age 0
orig_asext_lsa: 2ab.cde.fgh.32/30 age 0
rde_asext_get: 2ab.cde.fgh.0/29 is net LSA
orig_asext_lsa: 2ab.cde.fgh.16/30 age 0
orig_asext_lsa: 2ab.cde.fg.4/30 age 0
orig_asext_lsa: 2hi.jkl.mno.232/30 age 0
spf_calc: area 0.0.0.0 calculated
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6 -  
This is it

recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
^Croute decision engine exiting
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vlan6
if_fsm: event DOWN resulted in action RESET and changing state for  
interface vlan6 from WAIT to DOWN

ospf engine exiting
kernel routing table decoupled
terminating
$ ifconfig lo
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200
priority: 0
groups: lo egress
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
inet 127.0.0.1 netmask 0xff00
inet 2ab.cde.fgh.226 netmask 0x
lo1: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200
description: BLACKHOLE
priority: 0
groups: lo
inet 127.0.0.2 netmask 0x

Thanks,


Insan Praja SW
--
insandotpraja(at)gmaildotcom

Re: OSPFd on Feb 17th 2010 -current Incompatibilities

[Insan Praja SW]

Hi all,
On Thu, 18 Feb 2010 18:54:04 +0700, Insan Praja SW insan.pr...@gmail.com  
wrote:



Hi All,
On Thu, 18 Feb 2010 05:32:43 +0700, Claudio Jeker  
cje...@diehard.n-r-g.com wrote:



On Thu, Feb 18, 2010 at 03:03:34AM +0700, Insan Praja SW wrote:

Hi Misc@,
Recently I updated one of my routers into current. We runs OSPFd as
an IGP for our network. The update went success, but OSPFd wont get
synchronized. On the kernel-updated routers ospfctl sh neig shows:

$ ospfctl sh neig
ID  Pri StateDeadTime Address Iface  
Uptime



on dec 20 kernel routers shows:

$ ospfctl sh nei
ID  Pri StateDeadTime Address Iface  
Uptime

2ab.cde.fgh.229  1   FULL/DR  00:00:31 2ab.cde.fgh.6vlan6
01w2d21h
2ab.cde.fgh.226  1   DOWN/OTHER   00:36:21 2ab.cde.fgh.3vlan6 -
2ab.cde.fgh.227  1   FULL/BCKUP   00:00:31 2ab.cde.fgh.4vlan6
01w2d21h
2ab.cde.fgh.228  1   2-WAY/OTHER  00:00:31 2ab.cde.fgh.5vlan6 -

The router-ids are their loopback interfaces. Below are their configs.



Did you run ospfd -dvv on the box that is not working? Is there any info
in the log? My ospfd's are quite happy at the moment. Few old ones, for
non openbsd ones and a few -current ones.



With the ospfd -dvv I finally found the problem.


$ sudo ospfd -dvv
password = secret
warning: macro 'password' not used
startup
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vlan6
if_fsm: event UP resulted in action START and changing state for  
interface vlan6 from DOWN to WAIT

orig_asext_lsa: 1ab.cde.fg.240/30 age 0
orig_asext_lsa: 1hi.jkl.mn.196/30 age 0
orig_asext_lsa: 1op.qrs.tuv.112/30 age 0
orig_asext_lsa: 2ab.cde.fgh.32/30 age 0
rde_asext_get: 2ab.cde.fgh.0/29 is net LSA
orig_asext_lsa: 2ab.cde.fgh.16/30 age 0
orig_asext_lsa: 2ab.cde.fg.4/30 age 0
orig_asext_lsa: 2hi.jkl.mno.232/30 age 0
spf_calc: area 0.0.0.0 calculated
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6 -  
This is it

recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
recv_packet: packet sent to wrong address 127.0.0.2, interface vlan6
^Croute decision engine exiting
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vlan6
if_fsm: event DOWN resulted in action RESET and changing state for  
interface vlan6 from WAIT to DOWN

ospf engine exiting
kernel routing table decoupled
terminating
$ ifconfig lo
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200
 priority: 0
 groups: lo egress
 inet6 ::1 prefixlen 128
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
 inet 127.0.0.1 netmask 0xff00
 inet 2ab.cde.fgh.226 netmask 0x
lo1: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33200
 description: BLACKHOLE
 priority: 0
 groups: lo
 inet 127.0.0.2 netmask 0x

Thanks,


Insan Praja SW


So I find out that there is a rdr rule in pf.conf which redirect ospf  
traffic to lo1 (silly me..). I fixed the rule and it stayed on init state.



if_act_elect: interface vlan6 old dr none new dr 2ab.cde.fgh.3, old bdr  
none new bdr none

orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vlan6
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vlan6
if_fsm: event WAITTIMER resulted in action ELECT and changing state for  
interface vlan6 from WAIT to DR

recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.225
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.225
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.225
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.225
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.225
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.225
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.225
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.225
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.225
recv_ls_update: packet ignored in state INIT, neighbor ID 2ab.cde.fgh.228

Re: Strange problem | routing issue

[Stuart Henderson]

On 2010-02-18, Shailesh Tyagi shail...@novanet.net wrote:
 It seems there is a bug in routing with current 4.7 amd64 (build 10 Feb.). I
 tried i386 and it worked with same configuration and without any issues. Just
 to make sure I even tried reinstalling the amd64 once again thinking I might
 have made some mistakes the first time but same results. Following are the
 dmsegs from both installations.

Although you shouldn't have this type of problem with running amd64
(and after unwrapping your dmesg and diffing them, I see no real
differences between your logs from amd64 and i386), is there a
particular reason you want to run amd64 on routers rather than i386?

 OpenBSD 4.7-beta (GENERIC.MP) #85: Sun Feb  7 17:06:57 MST 2010

Using the MP kernel adds overheads which you probably won't recoup
on a router, particularly if you're just taking defaults from upstream
(you'd be more likely to see a difference if e.g. you're doing a lot
of route filtering or running a route-reflector).

 As soon as we start traffic bgp server starts behaving strangely. for example
 if we ping any IP, customer side or towards upstream from the bgpd server,
 first few seconds we get no route to host and after few seconds it starts
 getting the response. When we try to ping the same IP again, behavior remain
 unchanged. which means it can't get the route for few seconds. We have checked

It might be useful to include output from 'route -n monitor' while
this is happening. But please, turn off line wrapping in your mail client,
it makes your posts very difficult to read.

 xxx.xxx.53.0   link#9 UHLc   01 - 4

 vlan101

 xxx.xxx.53.0/30link#9 UC 20 - 4

 vlan101

 xxx.xxx.53.2   link#9 UHRLc 115 - 4

 vlan101

This is odd (similar for the other subnets in your output). Why the cloned
host entry for 203.153.53.0? Where is the lo0 entry for 203.153.53.1 that
hostname.vlan101 suggests should be there? Looking at ifconfig -A output
might give a clue.

(btw, you might as well skip obfuscating the addresses/ASN, it just makes
it harder to read and doesn't hide anything).

Re: Strange problem | routing issue

[Shailesh Tyagi]

No reason, platform supports 64bit and thought performance will be better on
it. Its running well on i386.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Stuart Henderson
Sent: Thursday, February 18, 2010 6:13 PM
To: misc@openbsd.org
Subject: Re: Strange problem | routing issue

On 2010-02-18, Shailesh Tyagi shail...@novanet.net wrote:
 It seems there is a bug in routing with current 4.7 amd64 (build 10 Feb.).
I
 tried i386 and it worked with same configuration and without any issues.
Just
 to make sure I even tried reinstalling the amd64 once again thinking I
might
 have made some mistakes the first time but same results. Following are the
 dmsegs from both installations.

Although you shouldn't have this type of problem with running amd64
(and after unwrapping your dmesg and diffing them, I see no real
differences between your logs from amd64 and i386), is there a
particular reason you want to run amd64 on routers rather than i386?

 OpenBSD 4.7-beta (GENERIC.MP) #85: Sun Feb  7 17:06:57 MST 2010

Using the MP kernel adds overheads which you probably won't recoup
on a router, particularly if you're just taking defaults from upstream
(you'd be more likely to see a difference if e.g. you're doing a lot
of route filtering or running a route-reflector).

 As soon as we start traffic bgp server starts behaving strangely. for
example
 if we ping any IP, customer side or towards upstream from the bgpd server,
 first few seconds we get no route to host and after few seconds it starts
 getting the response. When we try to ping the same IP again, behavior
remain
 unchanged. which means it can't get the route for few seconds. We have
checked

It might be useful to include output from 'route -n monitor' while
this is happening. But please, turn off line wrapping in your mail client,
it makes your posts very difficult to read.

 xxx.xxx.53.0   link#9 UHLc   01 - 4

 vlan101

 xxx.xxx.53.0/30link#9 UC 20 - 4

 vlan101

 xxx.xxx.53.2   link#9 UHRLc 115 - 4

 vlan101

This is odd (similar for the other subnets in your output). Why the cloned
host entry for 203.153.53.0? Where is the lo0 entry for 203.153.53.1 that
hostname.vlan101 suggests should be there? Looking at ifconfig -A output
might give a clue.

(btw, you might as well skip obfuscating the addresses/ASN, it just makes
it harder to read and doesn't hide anything).


CONFIDENTIALITY NOTE :
The documents herein contain information, belonging to Novanet Ltd, which is
confidential and privileged. Unless you are the intended recipient, you may
not use, copy or disclose to anyone the documents or any information contained
in or attached to the documents.

Re: OT: opinions on IDS / IPS solutions

[Brad Tilley]

On Wed, 17 Feb 2010 22:59 -0500, Jason Beaudoin
jasonbeaud...@gmail.com wrote:
 Hi There,
 
 As I often have greater respect for a much larger portion of this list
 than the rest of the internet, I am curious what is thought about
 current IDS/IPS hardware from vendors like Trustwave, Checkpoint,
 Alert Logic, mod_security, even snort.. etc, and in particular, the
 sensibility and effectiveness of using them in high-security
 environments.

I use Snort in IDS mode on OpenBSD and am very satisfied with it. It's
hard to justify spending 10's or 100's of thousands of dollars for
commercial solutions that have the same issues as Snort (false
positives, requires tuning and constant monitoring). I have used large
IBM/ISS Proventia systems in the past. Some of the commercial offerings
will not even give you a terminal so you can use tcpdump... can you
believe that? You have the perfect spot on the network and the perfect
hardware, but you can only use it in a very limited fashion. Very
frustrating.

General purpose OpenBSD boxes with big beefy network interfaces cost a
lot less and does more. I use FreeBSD to run BASE as the analysis
frontend. The OpenBSD Snort sensors ship their alerts to it. I would use
OpenBSD for the frontend as well, but BASE is not currently in ports and
I have not had time to work on porting it and prefer not to go outside
of ports.

Also, I would stay away from IPS mode. There are enough network problems
as is without something randomly deciding to drop packets. There's no
better way to make a network engineer mad than to send them on a wild
goose chase trying to figure out why packets are not getting delivered
only to find out that the IPS is dropping them because certain SSL
traffic looks like a buffer overflow or something. 

That has been my experience.

Brad

 From a compliance perspective, I don't have much choice. From the
 costs, infrastructure, and administrative perspectives, I am currently
 evaluating whether or not I should be leaning towards and IDS or IPS
 solution, and of course which system/vendor. My understanding is that
 something like snort requires a fair bit of maintenance and
 IT-attention, the trade-off being cost, so I am leaning away from
 this. Between detection and prevention, preventing break-ins seems a
 bit sillier than trying to actively monitor what's going on and to
 then look for threats, so this pushes me more towards IDS over IPS.
 
 Thoughts, suggestions, flames, are all welcome.
 
 Thanks.
 
 ~Jason

Te bonificamos los abonos y los equipos

[Claro Argentina]

Es Simple, Es Claro.


Descubra la mejor y mas economica manera de comunicarse.

Comunicacisn entre los equipos de su flota gratuita e ilimitada en todo
el pams. Equipos totalmente bonificados.

Porque queremos que usted tambiin sea parte de la compaqia N01 de
comunicaciones en Amirica. Para que tenga la mas amplia cobertura, el
mejor precio y la mayor variedad de servicios. Le acercamos las mejores
opciones del mercado en telefonma celular para clientes con CUIT en
flotas PYME y Corporativas. 

Lmneas

Plan

Costo Minuto Incluido.

Minutos Totales.

Costo Total por Flota.

Costo Minuto Excdente.

Equipos 100% Bonificados.

Bonificaciones Especiales

6

$29

$0.26

660

$174

$0.26

6 del rango B

50% de la primer factura

6

$39

$0.25

930

$234

$0.25

6 del rango B

50% de la primer factura

10

$29

$0.23

1250

$290

$0.23

10 del rango B

 50% de la primer factura + 100 SMS gratis por lmnea por un aqo

10

$39

$0.22

1800

$390

$0.22

10 del rango B

 50% de la primer factura + 100 SMS gratis por lmnea por un aqo

20

$29

$0.22

2600

$580

$0.20

3 del rango M + 17 del rango B

50% de las primeras dos facturas + 100 SMS gratis por lmnea por un aqo +
10 destinos virtuales por lmnea a costo $0

20

$39

$0.19

4200

$780

$0.20

1 del rango P + 2 del rango A + 4 del rango M + 13 del rango B

50% de las primeras dos facturas + 100 SMS gratis por lmnea por un aqo +
10 destinos virtuales por lmnea a costo $0

60

$29

$0.21

8400

$1740

$0.20

9 del rango M + 51 del rango B

50% de las primeras cuatro facturas + 200 SMS gratis por lmnea por un aqo
+ 10 destinos virtuales por lmnea a costo $0

60

$39

$0.17

13800

$2340

$0.20

3 del rango P + 6 del rango A + 12 del rango M + 39 del rango B

50% de las primeras cuatro facturas + 200 SMS gratis por lmnea por un aqo
+ 10 destinos virtuales por lmnea a costo $0

Los precios no incluyen IVA. Los nzmeros Claro fuera de la flota deben
ser nzmeros Claro Pospagos (no pueden ser ni Prepagos ni Cuenta Segura).
La bonificacisn sobre la factura incluye solo los   abonos.

EQUIPOS EN SUBSIDIO TOTAL (click sobre el nombre para ver la descripcisn
del equipo)

RANGO A

RANGO B

RANGO M

RANGO P

LG kp570

Huawei 1005

Sony W205

Xperia X1

Samsung 3410

Nokia 1208

Samsung E215

Samsung F480

ZTE I766

Samsung E1075

LG Kp 215

Nokia E71

LG KP 330

Pantech 1410

Alcatel OT 701

BlackBerry 8220

Los modelos de los equipos son a eleccisn del cliente aunque,
logicamente, estan tambien sujetos a disponibilidad 
 de
stock. CONSULTE TAMBIEN POR OTROS MODELOS DE EQUIPOS DISPONIBLES Si usted
ya es cliente de Claro contactese con nosotros para recibir una propuesta
de optimizacisn de su cuenta. Beneficios de las Flotas Claro

  * Comunicacisn gratuita, libre e ilimitada entre todos los miembros de
la flota desde y hacia cualquier lugar del pams.

  * Bolsa de minutos (clearing) para repartir los minutos totales de su
flota en los telifonos que quiera e incluso dejar parte de la flota
solo para comunicacisn interna y que no generen consumo.

  * Tarifa Plana y Nacional. No importa si llama a un fijo o a un
celular, si es corta distancia o larga distancia. El minuto siempre
rinde lo mismo y no paga ningun concepto de red, LDN, tierra, etc.

  * Red Privada Virtual, herramienta que sirve para administrar los
telefonos como si fueran internos de su empresa y que le da 10
destinos libres por llnea para tambihn comunicarse gratis!!! (solo
para cuentas de mas de 20 lmneas)

  * Atencisn pre y post venta personalizada y sin moverse de su empresa. 

  * Paquetes de SMS.

  * Posibilidad de bloquear telifonos para que sslo tengan comunicacisn
interna y no consuman minutos de la bolsa.

  * La mas amplia cobertura Nacional e Internacional.

  * Sin costos de activacisn ni de ingreso (En algunos casos particulares
Claro puede requerir un deposito en garantia que sera reintegrado al
cliente en el 7: mes de servicio)

  * Internet 3G en mas de 300 ciudades de Argentina.

  * El valor del minuto y del SMS mas barato de mercado.

  * Planes de $29, $39, $49, $69 y $89 (a mayor costo del plan menor
costo del minuto).

  * La mayor variedad de equipos en mercado.

Y todos los beneficios de ser parte de la empresa nzmero 1 de
comunicaciones en Amirica. Para recibir mas informacisn envienos un mail
con sus datos a infopla...@divisioncorporativa.com.ar o respondanos este
mensaje o llamenos al 011-155-463-8747 y un ejecutivo de cuentas se
pondra en contacto a la brevedad para despejarle cualquier duda y
posibilitarle realizar el alta del plan desde su casa, empresa u oficina.
Sabina PoliEjecutivo de CuentasClaro Argentina011 
155-463-8747infopla...@divisioncorporativa.com.ar

Este es un email legal, libre de virus y contiene informacisn de
servicios y productos que consideramos pueden ser de su interis De
acuerdo con la nueva Ley argentina N: 26.032, la libre distribucisn
de 

HIFN 7955 Support in OpenBSD 4.6 on AMD Geode LX800 System

[Liam Farr]

Hi,

I have a AMD Geode LX800 based system (PC Engines ALIX 2C3) and am trying to 
use a HIFN 7955 (Soekris VPN1411) crypto card to improve OpenSSL performance 
(for SFTP and OpenVPN).

However after installing the HIFN card I don't seem to get any performance 
gain, and all the crypto still seems to be happening in software.

# fstat /dev/crypto
USER CMD  PID   FD MOUNTINUM MODE   R/WSZ|DV NAME
root sshd   108173 /   79183 crw-rw-rw-  rw   crypto 
/dev/crypto
root sshd   288513 /   79183 crw-rw-rw-  rw   crypto 
/dev/crypto
root sshd23453 /   79183 crw-rw-rw-  rw   crypto 
/dev/crypto
_openvpn openvpn158005 /   79183 crw-rw-rw-  rw   crypto 
/dev/crypto

It appears that sshd  openvpn are using /dev/crypto, is there a way to tell if 
this is actually using the HIFN card?

I thought that the system might be using the built in crypto in the AMD Geode 
CPU instead of the HIFN and have used config -e -o bsd.new /bsd to disable 
glxsb (glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES) 
in the kernel, and booted the new kernel config however this makes no 
difference.

# dmesg
OpenBSD 4.6 (GENERIC) #58: Thu Jul  9 21:24:42 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 499 
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem  = 268009472 (255MB)
avail mem = 250335232 (238MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/10/07, BIOS32 rev. 0 @ 0xfceb2
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
AMD Geode LX Crypto rev 0x00 at pci0 dev 1 function 2 not configured
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10, address 
00:0d:b9:14:eb:48
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr1 at pci0 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address 
00:0d:b9:14:eb:49
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr2 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 12, address 
00:0d:b9:14:eb:4a
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
hifn0 at pci0 dev 12 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4 MD5 
SHA1 RNG AES PK, 32KB dram, irq 9
glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 0, 32-bit 
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: CF 4GB
wd0: 1-sector PIO, LBA, 3823MB, 7831152 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 15, version 1.0, 
legacy support
ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
biomask e1ef netmask ffef ttymask 
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
clock: unknown CMOS layout

I am very new to OpenBSD and any help would be appreciated.


Thanks

Liam

Lo Que Puede Hacer el Internet por su Negocio - Internet Marketing Experts 2010 - Marzo 26 México D.F. - Google, WSI

[Fernanda Rivas]

Congress  Marketing | CapacitaciC3n por MC)xico  

Newsletter

[IMAGE]

Congreso Nacional Internet Marketing Experts iMexB. 2010

Congreso Nacional Internet Marketing Experts iMexB. 2010
El Internet Como Estrategia de Negocios
Fecha: 26 de Marzo de 2010 Sede: Crowne PlazaB.Hotel de MC)xicoSer visto
para ser rentable El Internet como medio de mercadotecnia ofrece
beneficios excepcionales y un potencial de reconocimiento de marca para
todo tipo de industria. Un evento sin precedentes que propone
alternativas de vanguardia y tecnologCa expuestas por lCderes en el
C!mbito. La mercadotecnia por Internet es altamente rentable, ofrece
muchas ventajas C:nicas que la publicidad tradicional no puede igualar,
asC como herramientas de alto impacto y desempeC1o que desarrollarC!n un
verdadero vCnculo entre su empresa y su mercado meta.

[IMAGE]WSI, the worldbs #1 Internet franchise company as ranked by
industry leading Entrepreneur Magazine, shared its expertise with the
Mexican business community by participating in the 2009 Internet
Marketing Experts (iMex) Congress, Sharing stage with Google on Friday
November 27. More than 100 local business owners and marketing executives
convened at the Crowne PlazaB. Hotel in Mexico City for the iMex
conference entitled bCongreso Nacional Internet Marketing Experts.b

Solicite un Brochure con detalles del evento PDF Brochure
Por favor responda este e-mail con sus datos completos
Nombre:
Puesto:
Empresa: brTelC)fono:
Ciudad:
Estado:
e-mail:
No. de Interesados:
ComunCquese a nuestro centro de atenciC3n telefC3nica y un ejecutivo
de Congress  Marketing con gusto le atenderC!.
[IMAGE]01(33)1201-6898, (33)1562-1784 y (33)3110-6502

Objetivos y Beneficios

B?QuC) puede hacer la mercadotecnia por internet por mi negocio?

b Generar trC!fico a su sitio web o instalaciones fCsicas (generaciC3n
de contactos, ventas, etc.)

b Mejorar sus actividades promocionales en lCnea b una forma mC!s de
llegar a los clientes

b Extender el posicionamiento de su marca en nuevos mercados
b Dar a su negocio una ventaja sobre su competencia

b Reducir sus costos de mercadotecnia a la vez que mejora sus resultad

Algunos de nuestros expositores

Google, WSI We Simplify The InternetMiguel Alva GoogleMiguel Alva Google

Director de Marketing MC)xico Ha colaborado para Motorola LatinoamC)rica
(2005-2007) como Gerente de Marketing y ComunicaciC3n de Experiencia de
Usuario. AhC diseC1C3 estrategias de producto que aC1adieron valor para
los usuarios al responder de manera coordinada a necesidades del mercado
regional, ademC!s de efectuar alianzas estratC)gicas con marcas como
Gucci, Tous, Kodak y Ferrari.

Ing. Carlos GuzmC!n WSIIng. Carlos GuzmC!n WSI

En el pasado ha desempeC1ado posiciones directivas en Apple Computer
MC)xico, BITAL, Dataflux y Toshiba. Fue director general de CENECEC asC
como miembro del grupo directivo fundador del CNCI y Expertus.

Congress  Marketing Online S.C. B) 2009
Todos los Derechos Reservados.
TelC)fonos en la Cd. de Guadalajara 01(33)1201-6898, (33)1562-1784 y
(33)3110-6502

Social Media

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Congress
 Marketing o bien un usuario le refirio para recibir este boletCn. Como
usuario de Congress  Marketing, en este acto autoriza de manera expresa
que Congress  Marketing le puede contactar vCa correo electrC3nico u
otros medios. Si usted ha recibido este mensaje por error, haga caso
omiso de el y reporte su cuenta respondiendo este correo con el subject
BAJA CM000SCRMZ. Unsubscribe to this mailing list, reply a blank message
withe the subject UNSUBSCRIBE CM000SCRMZ Tenga en cuenta que la gestiC3n
de nuestras bases de datos es de suma importancia y no es intenciC3n de
la empresa la inconformidad del receptor.

Broadcom NetXtreme II BCM5716 1000Base-T being recognized with bnx instead of bge.. is that OK?

[Andres Salazar]

Greetings.

I have a R210 DELL with  a built in Broadcom NetXtreme II BCM5716
1000Base-T being recognized with bnx instead of bge .. iam having
problems starting the network within the OPenBSD 4.6 installer.

I noticed that the manual for bge says:

The bge driver provides support for various NICs based on the Broadcom
 BCM570x, 571x

That would include my BCM5716 wouldnt it? Is there a problem if its
getting recognized with the other driver?


Thanks

Andres

Re: Broadcom NetXtreme II BCM5716 1000Base-T being recognized with bnx instead of bge.. is that OK?

[Tomas Bodzar]

Hi,

post your dmesg and pcidump -v. Did you tried 4.7 if it's repaired ?

On Thu, Feb 18, 2010 at 3:11 PM, Andres Salazar ndrsslz...@gmail.com wrote:
 Greetings.

 I have a R210 DELL with B a built in Broadcom NetXtreme II BCM5716
 1000Base-T being recognized with bnx instead of bge .. iam having
 problems starting the network within the OPenBSD 4.6 installer.

 I noticed that the manual for bge says:

 The bge driver provides support for various NICs based on the Broadcom
 B  B  BCM570x, 571x

 That would include my BCM5716 wouldnt it? Is there a problem if its
 getting recognized with the other driver?


 Thanks

 Andres





--
http://www.openbsd.org/lyrics.html

Re: Broadcom NetXtreme II BCM5716 1000Base-T being recognized with bnx instead of bge.. is that OK?

[Claudio Jeker]

On Thu, Feb 18, 2010 at 08:11:02AM -0600, Andres Salazar wrote:
 Greetings.
 
 I have a R210 DELL with  a built in Broadcom NetXtreme II BCM5716
 1000Base-T being recognized with bnx instead of bge .. iam having
 problems starting the network within the OPenBSD 4.6 installer.
 
 I noticed that the manual for bge says:
 
 The bge driver provides support for various NICs based on the Broadcom
  BCM570x, 571x
 
 That would include my BCM5716 wouldnt it? Is there a problem if its
 getting recognized with the other driver?
 

No the BCM5716 is a bnx(4) card (see bnx(4)). Did you try a -current
installer?

-- 
:wq Claudio

Re: OT: opinions on IDS / IPS solutions

[Jason Beaudoin]

On Wed, Feb 17, 2010 at 11:47 PM, mehma sarja mehmasa...@gmail.com wrote:
  Don't bypass Snort because PFSense package makes it so easy to install and
 configure. A a one-click install of Snort and the only thing left to do was
 register and select what you want it to do.

 Mehma

Hi Mehma,

I'm hoping you can expand on this - maybe it is just me, but I'm not
quite sure what you're trying to say or communicate.

Re: OT: opinions on IDS / IPS solutions

[Jason Beaudoin]

On Wed, Feb 17, 2010 at 11:28 PM, Johan Beisser j...@caustic.org wrote:
 On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin jasonbeaud...@gmail.com 
 wrote:
 From a compliance perspective, I don't have much choice. From the
 costs, infrastructure, and administrative perspectives, I am currently
 evaluating whether or not I should be leaning towards and IDS or IPS
 solution, and of course which system/vendor. My understanding is that
 something like snort requires a fair bit of maintenance and
 IT-attention, the trade-off being cost, so I am leaning away from
 this. Between detection and prevention, preventing break-ins seems a
 bit sillier than trying to actively monitor what's going on and to
 then look for threats, so this pushes me more towards IDS over IPS.

 I agree with you. High rates of false positives, but fairly low rates
 of false negatives. Once the care and feeding is taken care of
 (turning off everything and gradually fine tuning to your current
 traffic helps), they're useful for alerting against unusual traffic
 leaving your network; not so much against automated attacks coming in
 the network. My own deployments are specifically to monitor for odd
 outbound traffic from my office. It's a rapid way to find out about
 the latest trojan, worm, or other infection my users have brought in
 on their laptops.

Indeed, this is why IDS makes more sense to me, and I am glad to see
this confirmed/validated by others here. So I guess this is now just a
question of setting up snort versus a commercial solution.


 That said, the usefulness of an IDP is specifically preventing most
 automated and known attacks from passing in to your network. By using
 one of the commercial systems, you gain support, tuning, and the fact
 that you don't have to spend as much time with the care and feeding or
 writing/testing new rulesets against your current version.

This is the difficult place I'm in.. to me, the commercial solution
means I have someone else looking at and dealing with all of the false
positives, which is something that I won't kid myself on - I don't
know if I even have the time to be the fine tuning machine.. then
again the cost is just plain silly when compared with a snort/bsd
setup.

Are there any good open source alternatives to Snort that are worth
considering here?


 As a compliance feature, I've found most administrators put them in
 place and promptly turn the reporting off due to the high rate of
 false positives reducing the signal from the noise.

 jb


right, which is just silly and a waste of everyone's time.

thanks for sharing..

~Jason

Re: OT: opinions on IDS / IPS solutions

[mehma sarja]

Jason,

I was trying to communicate my very small and limited experience with Snort
on a PFSense appliance (FreeBSD + pf). The install and configuration is
easy. I cannot speak to on-going maintenance on a big network.

Mehma
===


On Thu, Feb 18, 2010 at 6:30 AM, Jason Beaudoin jasonbeaud...@gmail.comwrote:

 On Wed, Feb 17, 2010 at 11:47 PM, mehma sarja mehmasa...@gmail.com
 wrote:
   Don't bypass Snort because PFSense package makes it so easy to install
 and
  configure. A a one-click install of Snort and the only thing left to do
 was
  register and select what you want it to do.
 
  Mehma

 Hi Mehma,

 I'm hoping you can expand on this - maybe it is just me, but I'm not
 quite sure what you're trying to say or communicate.

Re: OT: opinions on IDS / IPS solutions

[Jason Beaudoin]

On Thu, Feb 18, 2010 at 2:33 AM, Tomas Bodzar tomas.bod...@gmail.com wrote:
 http://www.ranum.com/security/computer_security/editorials/dumb/index.html

 especially number 2 is targeted against IDS/IPS, antivirus and similar
 solutions. I found this link thanks to my colleague and it's really
 very descriptive.


Great article, and definitely right on.. and it certainly makes me
appreciate the openbsd community, as I've picked up on this more
true perspective of security having hung around here for long enough
that it all rubs off.

Anyway.. thanks Tomas!

Re: OT: opinions on IDS / IPS solutions

[Vijay Sankar]

Jason Beaudoin wrote:

On Wed, Feb 17, 2010 at 11:28 PM, Johan Beisser j...@caustic.org wrote:

On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin jasonbeaud...@gmail.com wrote:

From a compliance perspective, I don't have much choice. From the
costs, infrastructure, and administrative perspectives, I am currently
evaluating whether or not I should be leaning towards and IDS or IPS
solution, and of course which system/vendor. My understanding is that
something like snort requires a fair bit of maintenance and
IT-attention, the trade-off being cost, so I am leaning away from
this. Between detection and prevention, preventing break-ins seems a
bit sillier than trying to actively monitor what's going on and to
then look for threats, so this pushes me more towards IDS over IPS.

I agree with you. High rates of false positives, but fairly low rates
of false negatives. Once the care and feeding is taken care of
(turning off everything and gradually fine tuning to your current
traffic helps), they're useful for alerting against unusual traffic
leaving your network; not so much against automated attacks coming in
the network. My own deployments are specifically to monitor for odd
outbound traffic from my office. It's a rapid way to find out about
the latest trojan, worm, or other infection my users have brought in
on their laptops.


Indeed, this is why IDS makes more sense to me, and I am glad to see
this confirmed/validated by others here. So I guess this is now just a
question of setting up snort versus a commercial solution.



That said, the usefulness of an IDP is specifically preventing most
automated and known attacks from passing in to your network. By using
one of the commercial systems, you gain support, tuning, and the fact
that you don't have to spend as much time with the care and feeding or
writing/testing new rulesets against your current version.


This is the difficult place I'm in.. to me, the commercial solution
means I have someone else looking at and dealing with all of the false
positives, which is something that I won't kid myself on - I don't
know if I even have the time to be the fine tuning machine.. then
again the cost is just plain silly when compared with a snort/bsd
setup.

Are there any good open source alternatives to Snort that are worth
considering here?



As a compliance feature, I've found most administrators put them in
place and promptly turn the reporting off due to the high rate of
false positives reducing the signal from the noise.

jb



right, which is just silly and a waste of everyone's time.

thanks for sharing..

~Jason



bro-ids may be an alternative for you to consider. There is a 
port/package like snort and the maintainer had asked for feedback/tests 
for the new version 1.5.1 in the lists recently. It has a number of 
features that I felt complemented Snort's list of features.


--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca

Re: OT: opinions on IDS / IPS solutions

[Jason Beaudoin]

On Thu, Feb 18, 2010 at 10:08 AM, Vijay Sankar vsan...@foretell.ca wrote:
 bro-ids

Great suggestion! thank you :)

Re: OT: opinions on IDS / IPS solutions

[bofh]

Allow me to speak from another perspective.  It all depends on $$, and the
network you have and how much leverage the security team has.

Usually, the security team does not have as much leverage and needs to play
catch up.

Understand this - no matter which solution you choose,
IDS/IPS/opensource/commercial, *someone* has to dedicate time to watching
the logs and alerts, or you might as well not do it.

When we implemented ours, my IPS guy spent half a year analyzing the
traffic, working out with each team on documenting every single traffic
pattern.  Once that is done, we flipped the switch and turned the monitoring
into prevention mode.

And unless you have a huge security team, I'll take every bit of help I can
take - I used to be against IPS (preferring IDS instead), but after living
with it for 3 years, I'll take IPS to knock off some of the crap.

Just don't get ISS crap.

Also, snort is good, but you must know what you're doing.  Our snort box,
running on an old throw away box, and only capturing/analyzing 10 minutes of
every hour, is giving us *MORE* useful data than half a mil worth of ISS
crap.

And the commercial version, sourcefire, is even better.  My ex-coworkers at
another place just had a shoot out of 10G devices, and sourcefire came out
heads and shoulders against everyone else.





-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.  --
Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: Installer caching selections across different installations... how?

[Theo de Raadt]

I have been installing OpenBSD 4.6 inside a VMWare ESXi 4.0 virtual machine
and ran into a strange behavior I can't explain... it seems to cache my
installation options between totally unrelated virtual machines.  The
process goes like this:

I create a new 'Typical' virtual machine, select 'Other' as the guest OS and
choose 'Other (32-bit)' in the Version pulldown menu.  I accept all default
settings (256MB ram, 1 vCPU, 8GB disk, etc) and check the Thin Provisioning
disk allocation checkbox.  I then associate the cd46.iso file (stored on a
datastore) with the virtual cdrom drive and boot off of it to begin the
installation process, where I specify a local LAN ftp server to fetch the
install media from.

The install process goes as expected and the virtual machine is running
happily along...  The thing is, when I create a second brand new virtual
machine using the process described above and get to the 'select install
media' step, it already has my local ftp server's name populated!  As far as
I can tell, the only thing in common between the two installation processes
is the cd46.iso file.

This isn't necessarily bad, I just can't explain why its happening.  Two
questions:

1) Is anyone else observing this behavior?
2) Can anyone explain why it is occurring?

It is entirely intentional, and designed into the install scripts.

For the large majority of people, this is very helpful behaviour.
For people using NAT and other IP sharing mechanisms, yes, it can
be akward, but you are (and will remain) in the minority.

Re: Installer caching selections across different installations... how?

[Theo de Raadt]

Ah, this definitely makes sense.  It is a handy little feature but I am a
little surprised the privacy advocates out there in OpenBSD-land didn't cry
foul about reporting information back to the mothership like that.

Perhaps they finally learned that we would not care in the least
what they cried about.

Re: OT: opinions on IDS / IPS solutions

[Laurens Vets]

interesting  spot on remarks


Just don't get ISS crap.

Also, snort is good, but you must know what you're doing.  Our snort box,
running on an old throw away box, and only capturing/analyzing 10 minutes of
every hour, is giving us *MORE* useful data than half a mil worth of ISS
crap.


Care to elaborate? :)

more interesting information

Thanks!

MAX_KMAPENT and NKMEMPAGES

[Vasiliy Kiryanov]

Hello Community.

There are 2 parameters that I would want to understand better and trace somehow:
MAX_KMAPENT, and NKMEMPAGES.

notice:
I have found only one source of such info:
Running and tuning OpenBSD network server in a production
environment (Oct 8, 2002)
http://www.openbsd.org/papers/tuning-openbsd.ps

I'll be glad to know about any additional source that I can read to
understand it better.


I have rebuilt kernel with following values:
option NKMEMPAGES=32768
option MAX_KMAPENT=3072

MAX_KMAPENT check:
# vmstat -s
6179 kernel map entries (how can it be more then 3072 ?)


NKMEMPAGES check:
# vmstat -m
Memory resource pool statistics
NameSize Requests FailInUse Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
mbpl 256 189887305   0 1239   49932   467   467 1   384  353
mcl2k   2048 1414599843  0  521  1857 0  1857  1857 4  3072 1590

People often write that we can find some correlation between these
params and NKMEMPAGES.
I can't find any correlation here, so any hints are welcome.

thank you.

--
Vasiliy Kiryanov

Re: Apache Firefox and Ogg Theora (Byte-range requests)

[Атанас Владимиров]

2010/2/18 Pierre-Yves Ritschard p...@spootnik.org

  This appears to be due to the format of the string being passed to
  strtonum().  ap_strtol() was tolerant of it.  It's being passed the
  string from the Range: header.
 
  For example, the following valid request (taken directly from sniffing a
  wget session).
 
   GET /testfile HTTP/1.0
   Range: bytes=300417024-
 
  This ends up following the code path of the first strtonum() call around
  line 159 in http_protocol.c in the parse_byterange() function.  The
  string passed to strtonum to convert (r-range) not only contains the
  number from the header, but the trailing dash (300417024-), which
  strtonum does not like.  As strtonum fails, the start offset is set to
  0.
 
  This bug should be present on a 64-bit arch as well.
 
 
 Hi,

 I broke it when unbreaking support for large files in Content-Length (which
 would otherwise report 0). I'll have a diff ready soon which fixes that.

  - pyr.


I'm glad to hear this :)

Re: HIFN 7955 Support in OpenBSD 4.6 on AMD Geode LX800 System

[Ryan Corder]

On Fri, Feb 19, 2010 at 01:21:18AM +1300, Liam Farr wrote:
| I have a AMD Geode LX800 based system (PC Engines ALIX 2C3) and am trying
to
| use a HIFN 7955 (Soekris VPN1411) crypto card to improve OpenSSL
performance
| (for SFTP and OpenVPN).
|
| However after installing the HIFN card I don't seem to get any performance
| gain, and all the crypto still seems to be happening in software.
|
| # fstat /dev/crypto
| USER CMD  PID   FD MOUNTINUM MODE   R/WSZ|DV
NAME
| root sshd   108173 /   79183 crw-rw-rw-  rw   crypto
/dev/crypto
| root sshd   288513 /   79183 crw-rw-rw-  rw   crypto
/dev/crypto
| root sshd23453 /   79183 crw-rw-rw-  rw   crypto
/dev/crypto
| _openvpn openvpn158005 /   79183 crw-rw-rw-  rw   crypto
/dev/crypto

I quick search of this list's archives or the archives of
soekris-t...@lists.soekris.com will likely provide you with an answer.
Essentially, on these lower-power devices, the cost of moving the data to and
from the crypto card across the PCI bus negates most performance gains you
would achieve trying to offload it.

This, however, is but one possible answer to your problem.


--
Ryan Corder  || () ASCII ribbon campaign
ryanc at greengrey.org || /\  against HTML email
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1CB59D69

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: HIFN 7955 Support in OpenBSD 4.6 on AMD Geode LX800 System

[Brian A. Seklecki (CFI NOC)]

On 2/18/2010 7:21 AM, Liam Farr wrote:

Hi,



I thought that the system might be using the built in crypto in the AMD Geode CPU instead of the 
HIFN and have used config -e -o bsd.new /bsd to disable glxsb (glxsb0 at pci0 dev 1 
function 2 AMD Geode LX Crypto rev 0x00: RNG AES) in the kernel, and booted the new 
kernel config however this makes no difference.


LF:

 FreeBSD had a cool utility alled cryptotstats that poll()'d usage 
stats out of the kernel for debugging.


http://www.freebsd.org/cgi/cvsweb.cgi/src/tools/tools/crypto/


It was written by Sam Leffer.  I've been meaning to port it over to 
NetBSD/OpenBSD.  LMK and I'll jump in.


~BAS

Popusti za super poklone, još do kraja februara!

[E-topshop]

;

Najbolji pokloni u mesecu ljubavi uz popuste i do 25%

;

Super ponuda traje još samo 10 dana, poEurite!

;

PronaDite pravi poklon za onog koga volite ili nešto za sebe!

Pravo je vreme, iskoristite Super ponudu!

Dan zaljubljenih

Pogledajte sve iz Ponude za zaljubljene;

Dan zaljubljenih

Ovu elektronsku poštu primate, ukoliko ste svojevoljno ostavili svoju
e-mail adresu na nekom od sajtova Top Shop-a, uD
estvovali u našoj poklon
igri ili nagradnom kvizu ili se prijavili za e-D
asopis Top Shop-a ili
nekog od nasih brendova.

Ponude date u ovom e-mailu vaEe iskljuD
ivo za porudEbine upuDene
putem Interneta ili broja telefona 021 489 26 60. Ponude vaEe do 10. 02.
2010. ili do isteka zaliha. Isporuku vršimo samo u Srbiji.

Ukoliko ne Eelite više da primate naše elektronske poruke, za
odjavljivanje sa naše e-mailing liste, , kliknite ovde. U obrazac na
internet stranici upišite svoju taD
nu e-mail adresu i odjavu potvrdite.

Studio Moderna d.o.o., Bulevar vojvode Stepe 30, 21000 Novi Sad, Tel: 021
489 26 60, Fax: 021 489 29 08, E-mail: i...@news.e-topshop.tv

[IMAGE]If you would no longer like to receive our emails please
unsubscribe by clicking here.

mod_ldapvhost

[Bambero]

Hello

I have a problem with mod_ldapvhost. It won't resolve hosts. I still
have DocumentRoot from httpd.conf. Does it require any aditional
configuration ? I'm sure that connection between apache and openldap is
estabilished poperly.

Maybe someone have an example ldif file to test.

Unfortunatelly there is no documentation for mod_ldapvhost.

Thanks for any help,
Bambero

Re: How to change pciide to ahci if there is no option for this in BIOS

[Brynet]

Hi,

There is no runtime option to enable AHCI support (..although it would
be nice).

If the BIOS doesn't provide the ability to configure this, your only
recourse is to modify the ahci.c driver and force attach on this
specific device.

Last month I posted a diff for someone else, although it didn't appear
to help him.

http://marc.info/?t=12647775751r=1w=2

It is possible however that the controller does not support AHCI, and it
isn't guaranteed to solve any performance problems.

-Bryan.

Re: Current on FuLoong unable to figure out system type

[Lars Nooden]

On Thu, 18 Feb 2010, Otto Moerbeek wrote:

Retry with boot -k tftp://..., as suggested by the error message.
Also PMON sometimes gets confused, and a power cycle is needed (using the
reset button is not enough in all cases).


Thanks.  I had misinterpreted the message and put the -k as an argument 
for bsd.rd


Boots bsd.rd fine now.  There are a great many 'spurious interrupt 4' 
messages during the installation process.  The ext2 boot partition seems 
to still needed for booting.  I tried to dig out some linux netboot for 
that but couldn't find anything that supports fuloong yet.  Ended up using 
dd to make the ext2 partition.


It boots bsd current just fine now via the ext2 partition.

/Lars

Re: mod_ldapvhost

[Bret S. Lambert]

On Thu, Feb 18, 2010 at 08:23:08PM +0100, Bambero wrote:
 Hello
 
 I have a problem with mod_ldapvhost. It won't resolve hosts. I still
 have DocumentRoot from httpd.conf. Does it require any aditional
 configuration ? I'm sure that connection between apache and openldap is
 estabilished poperly.

You likely need to work out how to get /etc/resolv.conf inside
your http chroot.

This has been discussed enough on the list that you shouldn't have
any trouble figuring out how to shoehorn most anything, up to and
including a working Windows7 install, into the chroot environment.

 
 Maybe someone have an example ldif file to test.
 
 Unfortunatelly there is no documentation for mod_ldapvhost.
 
 Thanks for any help,
 Bambero

Re: How to change pciide to ahci if there is no option for this in BIOS

[Chris Cappuccio]

This system is definitely too old for AHCI to be a chipset option.  

You could always add in a cheap SATA card with Silicon Image chip, the sili 
driver supports NCQ...

1-3MB/sec isn't near the max speed of any of your hardware, and you fail to 
mention what you are doing while iostat is running to show this.  What is the 
problem again?

Tomas Bodzar [tomas.bod...@gmail.com] wrote:
 Hi all,
 
 my friend started using of OpenBSD on his server, but he has quite bad
 perfomance with his disk. Actually it's running under native mode :
 
 pciide1 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA,
 channel 0 configured to native-PCI, channel 1 configured to native-PCI
 pciide1: using apic 2 int 18 (irq 9) for native-PCI interrupt
 
 
 and there is no chance to switch it to AHCI. So he will install newer
 BIOS (there is no info about possible new option for it in release
 notes). So before additional tests it will be ok if it will be
 possible to switch to AHCI directly. Is there this option? From man
 page for pciide I can see that it's possible to set some options for
 some controllers over config so is it possible for AHCI too? Soft
 updates aren't enabled and I know that it will have impact on
 performance so he will enable it. Then it's only on AHCI/native, namei
 cache and combination of all HW involved.
 
 ttycd0 wd0 cpu
  tin tout  KB/t t/s MB/s   KB/t t/s MB/s  us ni sy in id
0   18  0.00   0 0.00  26.55  49 1.27   3  0  3  3 92
0   89  0.00   0 0.00  14.93 214 3.12  13  0 21 14 53
00  0.00   0 0.00  15.54 171 2.60  13  0 11 10 65
00  0.00   0 0.00  15.91 161 2.51  16  0 12 10 62
00  0.00   0 0.00  15.83 168 2.60  17  0 12  8 62
00  0.00   0 0.00  15.87 165 2.56  14  0 14  8 64
0  176  0.00   0 0.00  16.00 199 3.10  14  0 11 11 63
00  0.00   0 0.00  15.84 179 2.77  11  0 14 14 60
00  0.00   0 0.00  15.49 150 2.26  14  0 14  9 62
00  0.00   0 0.00  14.24 130 1.81  13  0 12  5 69
 
 procsmemory   pagediskstraps  cpu
  r b wavm fre  flt  re  pi  po  fr  sr cd0 wd0  int   sys   cs us sy 
 id
  0 5 0  19584  414996  508   0   0   0   0   0   0  54 1006  5732 1859  3  5 
 92
  0 5 0  19592  414988   25   0   0   0   0   0   0 116 8059 43686 14876 17 30 
 53
  1 5 0  19592  4149887   0   0   0   0   0   0   0 4384 26122 9199 15 27 
 57
  0 5 0  19592  414956   11   0   0   0   0   0   0   0 4486 26236 9287 17 23 
 60
  1 5 0  19592  414972   34   0   0   0   0   0   0   0 4005 24506 8873 14 16 
 70
  0 5 0  19592  4149887   0   0   0   0   0   0   0 4594 26552 9348 15 21 
 63
  0 5 0  19592  4149487   0   0   0   0   0   0   0 4493 26480 9379 17 23 
 59
  0 5 0  19592  4149487   0   0   0   0   0   0   2 4086 24244 8709 17 19 
 64
  1 5 0  19592  414964   11   0   0   0   0   0   0   0 4096 24023 8595 14 18 
 67
  0 5 0  19592  415012   34   0   0   0   0   0   0   0 4582 26632 9397 19 21 
 59
 
 
 
 
 
 
 
 OpenBSD 4.7-beta (GENERIC.MP) #409: Sun Feb  7 17:09:00 MST 2010
 t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
 RTC BIOS diagnostic error 18memory_size,fixed_disk
 cpu0: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
 real mem  = 534806528 (510MB)
 avail mem = 509517824 (485MB)
 RTC BIOS diagnostic error 18memory_size,fixed_disk
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 09/29/04, BIOS32 rev. 0 @
 0xffe90, SMBIOS rev. 2.3 @ 0xf0450 (69 entries)
 bios0: vendor Dell Computer Corporation version A06 date 09/29/2004
 bios0: Dell Computer Corporation OptiPlex GX270
 acpi0 at bios0: rev 0
 acpi0: tables DSDT FACP SSDT APIC BOOT ASF!
 acpi0: wakeup devices VBTN(S4) PCI0(S3) USB0(S3) USB1(S3) USB2(S3)
 USB3(S3) PCI1(S5) MOU_(S3)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 199MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz
 cpu1: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
 ioapic0: misconfigured as apic 0, remapped to apid 2
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (PCI1)
 acpicpu0 at acpi0
 acpicpu1 at acpi0
 acpibtn0 at acpi0: VBTN
 bios0: ROM list: 0xc/0xa800 0xca800/0x1800!
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel 82865G Host rev 0x02
 vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 intagp0 

Re: Current on FuLoong unable to figure out system type

[Otto Moerbeek]

On Thu, Feb 18, 2010 at 09:44:17PM +0200, Lars Nooden wrote:

 On Thu, 18 Feb 2010, Otto Moerbeek wrote:
 Retry with boot -k tftp://..., as suggested by the error message.
 Also PMON sometimes gets confused, and a power cycle is needed (using the
 reset button is not enough in all cases).
 
 Thanks.  I had misinterpreted the message and put the -k as an
 argument for bsd.rd
 
 Boots bsd.rd fine now.  There are a great many 'spurious interrupt
 4' messages during the installation process.  The ext2 boot
 partition seems to still needed for booting.  I tried to dig out
 some linux netboot for that but couldn't find anything that supports
 fuloong yet.  Ended up using dd to make the ext2 partition.
 
 It boots bsd current just fine now via the ext2 partition.
 
 /Lars

The sprurious interrupts will be solved if you update to current. 

The lasy days I spent on working at the install procedure. The code I
am about to commit is able to create a small ext2 partition or use an
existing ext2 one to install the bootloader on. The kernel the wil be
read from ffs.

-Otto

Re: OT: opinions on IDS / IPS solutions

[bofh]

On Thu, Feb 18, 2010 at 11:48 AM, Laurens Vets laur...@daemon.be wrote:

 interesting  spot on remarks


  Just don't get ISS crap.

 Also, snort is good, but you must know what you're doing.  Our snort box,
 running on an old throw away box, and only capturing/analyzing 10 minutes
 of
 every hour, is giving us *MORE* useful data than half a mil worth of ISS
 crap.


 Care to elaborate? :)

 Which parts?  ISS suck so much that even though IBM spent $$ to acquire
them, IBM is now killing the entire product line?  What kills me (and *TAKE
NOTE - THOSE WHO REPORT TO PHBs*) is that just a few months ago, we read a
report on how ISS's IPS took top billing in some magazine or review.

On what we're doing internally, we're capturing data for 10 minutes every
hour, and then having the box analyze that data using a variety of tools
including snort.  It then sends us information on crap such as botnet
command/control traffic among other things.  Things that we have full packet
captures on, that ISS refuses to provide.  We also drop it into a graphing
tool, so we get nice maps of green/good traffic and red/bad traffic, and you
can see that 3 boxes that's talking to all the botnet CC servers, etc.

We're still working on it, and I hope the new(er) servers we are putting in
will be able to provide better/more info.  Hopefully we'll buy some really
beefy servers later in the year so that we can do full analysis.

I'll send a list of the tools we used later, have to ping my guy for it :)

-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.  --
Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Cursos y Promociones de Febrero

[Newsletter R.H.]

SERVICIOS VISISN HUMANA ; 

Visisn Humana (Consultorma en Recursos Humanos) tiene el agrado de
invitarlo a nuestros cursos que se impartiran en el mes de Febrero.

Dar un click para ver el tamario.

CURSO DE IMSS (SUA IDSE)

19 de Febrero

DETERMINACISN PRIMA DE RIESGO DE TRABAJO 2010

(20 de Febrero)

TALLER INTEGRAL DE NSMINAS 2010

(22, 23 y 24 de Febrero)

INTELIGENCIA EMOCIONAL APLICADA AL LIDERAZGO

(25 de Febrero)

CURSO DE MACHOVER (DIBUJO DE LA FIGURA HUMANA)

26 de Febrero

CURSO DE NSMINAS 2010

(27 de Febrero)

CURSO DE PRUEBAS PSICOLSGICAS EN R.H. 1

(5 de Marzo)

SEDE:

Visisn Humana

Dr. Barragan N: 560 Despacho 5 Col. Narvarte, Mixico D.F.

Tels. 4633 7752 (llamada local en el D.F.)

Fax: 3548 1624 (llamada local en el D.F.)

capacitac...@serviciosvisionhumana.com.mx

SERVICIOS

Reclutamiento y Seleccisn de Personal

Evaluaciones Psicolsgicas

Estudios Socioeconsmicos

EVALUACISN POLIGRAFICA

Maquila de Nsmina

CONTACTO

capacitac...@serviciosvisionhumana.com.mx

www.serviciosvisionhumana.com.mx

Tel: (0155) 4633 7752

Fax: (0155) 3548 1624

ACEPTAMOS TODAS LAS TARJETAS DE CRIDITO Y DIBITO

(Excepto American Express)

Recuerde que esta informacisn le puede ser ztil en un futuro. Para darse
de baja responder con el tmtulo BORRAR.

Re: HIFN 7955 Support in OpenBSD 4.6 on AMD Geode LX800 System

[Brian A. Seklecki (CFI NOC)]

On 2/18/2010 12:47 PM, Ryan Corder wrote:

Essentially, on these lower-power devices, the cost of moving the data to and
from the crypto card across the PCI bus negates most performance gains you
would achieve trying to offload it.


Right

Where as on servers, these devices only offer a benefit of the CPU is 
saturated and this permits for work offload, allowing the main system to 
use CPU for other things.


Unfortunately, its often less expensive to buy more cores on production 
servers than to put an $800 crypto card in.


But if you're doing lots of stuff on your AMD Geode appliance ...you may 
find it beneficial.


That's why you see crypto card manufacturers getting into things like 
HSMs and other products now, because the heyday of helping out a 
Pentium-III server with a Crypto Accelerator is over.


~BAS

Re: mod_ldapvhost

[Bambero]

This is not DNS related. Maybe I should write:

Apache can't see virtualhosts in LDAP.

On Thu, Feb 18, 2010 at 8:45 PM, Bret S. Lambert bret.lamb...@gmail.com wrote:
 On Thu, Feb 18, 2010 at 08:23:08PM +0100, Bambero wrote:
 Hello

 I have a problem with mod_ldapvhost. It won't resolve hosts. I still
 have DocumentRoot from httpd.conf. Does it require any aditional
 configuration ? I'm sure that connection between apache and openldap is
 estabilished poperly.

 You likely need to work out how to get /etc/resolv.conf inside
 your http chroot.

 This has been discussed enough on the list that you shouldn't have
 any trouble figuring out how to shoehorn most anything, up to and
 including a working Windows7 install, into the chroot environment.


 Maybe someone have an example ldif file to test.

 Unfortunatelly there is no documentation for mod_ldapvhost.

 Thanks for any help,
 Bambero

Dump levels ?

[Jean-Francois]

Hi,

Is it possible to clarify what resides behind the concept of levels regarding 
dump(8) ?
For me the level 0 is understood to be a complete dump of all files on at a 
given mount point and all subdirectories. But I can't figure out what upper 
levels are.

Regards

Re: Dump levels ?

[Otto Moerbeek]

On Thu, Feb 18, 2010 at 10:54:55PM +0100, Jean-Francois wrote:

 Hi,
 
 Is it possible to clarify what resides behind the concept of levels regarding 
 dump(8) ?
 For me the level 0 is understood to be a complete dump of all files on at a 
 given mount point and all subdirectories. But I can't figure out what upper 
 levels are.
 
 Regards

A level 0 dumps includes all files. A level n dump are all the files
that have changed or were added since the last level n - 1 dump. 

-Otto

Re: Dump levels ?

[Gilles Chehade]

On Thu, Feb 18, 2010 at 10:54:55PM +0100, Jean-Francois wrote:
 Hi,
 
 Is it possible to clarify what resides behind the concept of levels regarding 
 dump(8) ?
 For me the level 0 is understood to be a complete dump of all files on at a 
 given mount point and all subdirectories. But I can't figure out what upper 
 levels are.
 
 Regards
 

from dump(8)'s man page:

 -0-9Dump levels.  A level 0, full backup, guarantees the entire file
 system is copied (but see also the -h option below).  A level
 number above 0, incremental backup, tells dump to copy all files
 new or modified since the last dump of a lower level.  The de-
 fault level is 0.

So a dump of level 0 is a complete dump, a dump of level 1 is a dump of all
files since last dump 0, a dump of level 2 is a dump of all files since last
dump of level 1, and so on

Gilles

-- 
Gilles Chehade
freelance developer/sysadmin/consultant

   http://www.poolp.org

Re: Dump levels ?

[Jean-Francois]

Le Jeudi 18 Fivrier 2010 23:02:38, Otto Moerbeek a icrit :
 On Thu, Feb 18, 2010 at 10:54:55PM +0100, Jean-Francois wrote:
  Hi,
 
  Is it possible to clarify what resides behind the concept of levels
  regarding dump(8) ?
  For me the level 0 is understood to be a complete dump of all files on at
  a given mount point and all subdirectories. But I can't figure out what
  upper levels are.
 
  Regards

 A level 0 dumps includes all files. A level n dump are all the files
 that have changed or were added since the last level n - 1 dump.

   -Otto

My dump level 1 dumps all the files again. How to let it dump based on the
lower level ?

I did as follows :
sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/
sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/

Regards

Re: OT: opinions on IDS / IPS solutions

[Jason Beaudoin]

On Thu, Feb 18, 2010 at 2:59 PM, bofh goodb...@gmail.com wrote:
 On Thu, Feb 18, 2010 at 11:48 AM, Laurens Vets laur...@daemon.be wrote:

 interesting  spot on remarks


  Just don't get ISS crap.

 Also, snort is good, but you must know what you're doing.  Our snort box,
 running on an old throw away box, and only capturing/analyzing 10 minutes
 of
 every hour, is giving us *MORE* useful data than half a mil worth of ISS
 crap.


 Care to elaborate? :)

 Which parts?  ISS suck so much that even though IBM spent $$ to acquire
 them, IBM is now killing the entire product line?  What kills me (and *TAKE
 NOTE - THOSE WHO REPORT TO PHBs*) is that just a few months ago, we read a
 report on how ISS's IPS took top billing in some magazine or review.

I haven't done my indepth homework on commercial solutions - we're a
small company with a small budget, and have been reviewing various
solutions in the 20k / yr range (trustwave, alert logic, tripwire,
etc). But a good point has been brought up about overall access and
the depth of information available.. I'll have to dig deeper on this.
I don't know if this is a big enough issue for us to overcome the
major plus (offloading the constant analysis, our team is small).


 On what we're doing internally, we're capturing data for 10 minutes every
 hour, and then having the box analyze that data using a variety of tools
 including snort.  It then sends us information on crap such as botnet
 command/control traffic among other things.  Things that we have full
packet
 captures on, that ISS refuses to provide.  We also drop it into a graphing
 tool, so we get nice maps of green/good traffic and red/bad traffic, and
you
 can see that 3 boxes that's talking to all the botnet CC servers, etc.

Sounds pretty rockin' - I'm sure it took a while to get that sorted
out and up to a usable form.

 We're still working on it, and I hope the new(er) servers we are putting in
 will be able to provide better/more info.  Hopefully we'll buy some really
 beefy servers later in the year so that we can do full analysis.

 I'll send a list of the tools we used later, have to ping my guy for it :)

That would be fantastic, I am surely interested in some of the details
of how you have put this together.

Thanks for sharing!

~Jason

Re: Dump levels ?

[Adriaan]

On Thu, Feb 18, 2010 at 11:21 PM, Jean-Francois jfsimon1...@gmail.com wrote:

[snip]

 My dump level 1 dumps all the files again. How to let it dump based on the
 lower level ?

 I did as follows :
 sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/
 sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/


You did two level 0 dumps, so what else you expect ?;)

Re: Dump levels ?

[Otto Moerbeek]

On Thu, Feb 18, 2010 at 11:21:02PM +0100, Jean-Francois wrote:

 Le Jeudi 18 Fivrier 2010 23:02:38, Otto Moerbeek a icrit :
  On Thu, Feb 18, 2010 at 10:54:55PM +0100, Jean-Francois wrote:
   Hi,
  
   Is it possible to clarify what resides behind the concept of levels
   regarding dump(8) ?
   For me the level 0 is understood to be a complete dump of all files on at
   a given mount point and all subdirectories. But I can't figure out what
   upper levels are.
  
   Regards
 
  A level 0 dumps includes all files. A level n dump are all the files
  that have changed or were added since the last level n - 1 dump.
 
  -Otto
 
 My dump level 1 dumps all the files again. How to let it dump based on the
 lower level ?
 
 I did as follows :
 sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/
 sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/

You are doing two level 0 dumps. The seconds invication should use -1ua
Also, note that these dumps are filesystem dumps. A whole filesystem
is dumped this way.

-Otto
 
 Regards

Re: Dump levels ?

[Jean-Francois]

Le Jeudi 18 Fivrier 2010 23:43:38, Adriaan a icrit :
 On Thu, Feb 18, 2010 at 11:21 PM, Jean-Francois jfsimon1...@gmail.com
 wrote:

 [snip]

  My dump level 1 dumps all the files again. How to let it dump based on
  the lower level ?
 
  I did as follows :
  sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/
  sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/

 You did two level 0 dumps, so what else you expect ?;)

Mistyped the mail. I proceed in this way and get two times the same dump. Is
it normal ?
sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/
sudo dump -1ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/

Re: HIFN 7955 Support in OpenBSD 4.6 on AMD Geode LX800 System

[Stuart Henderson]

On 2010-02-18, Liam Farr liamf...@me.com wrote:
 I have a AMD Geode LX800 based system (PC Engines ALIX 2C3) and
 am trying to use a HIFN 7955 (Soekris VPN1411) crypto card to improve
 OpenSSL performance (for SFTP and OpenVPN).

You could compare your current results with those after setting
sysctl kern.usercrypto=0 - e.g. openssl speed -evp aes128 -elapsed

If the accelerator is working for the cipher you're testing, you
will most likely see some gains on the larger block sizes, and
probably a slow-down on smaller block sizes.

Re: Dump levels ?

[andres]

Quoting Jean-Francois jfsimon1...@gmail.com:


Hi,

Is it possible to clarify what resides behind the concept of levels regarding
dump(8) ?
For me the level 0 is understood to be a complete dump of all files on at a
given mount point and all subdirectories. But I can't figure out what upper
levels are.

Regards


Dump levels other than 0 allow you to make partial dumps.

I used to do dump level 0's at the start of the month.

Then from Monday to Thursday I'd to dump 9's.  Each dump
would save things from the previous 9 (or 0 the first time).
Friday's I'd do a level 8.

Thus each M-T I'd save the days work, Friday I'd save the
weeks work.  Then at the start of the next month a level 0
dump would make a copy of everything.

Each dump level going downwards saves all the data from
previous (higher) numbered dumps.

--STeve Andre'

Re: Split by CUE

[ropers]

This is probably not what you want, but just for the heck of it: you
can split MP3 and OGG files by CUE sheet --without reincoding-- using
mp3splt-gtk: 
http://www.openbsd.org/4.6_packages/i386/mp3splt-gtk-0.5.4p0.tgz-long.html
I don't think mp3splt can split WAV files though.

This page is heavy on the Linux, but it suggests that shntool and
cuetool *may* be able to split WAVs by CUE sheet (I haven't actually
tried this):

http://aidanjm.wordpress.com/2007/02/15/split-lossless-audio-ape-flac-wv-wav-by-cue-file/

http://www.etree.org/shnutils/shntool/
http://freshmeat.net/projects/cuetools/

However, you'd probably be the first to port shntool and chuetools to OpenBSD.

On the plus side, there is an existing port for xmms-shn, a software
by the same author as shntool: http://www.etree.org/shnutils/ -- and
this *could* indicate that porting at least shntool *may* be easier
than expected.

regards,
--ropers

On 16 February 2010 10:50, Stas Miasnikou m...@gurtam.com wrote:

 What tools do you use to split .wav (.flac, .ape, etc) by CUE sheet?

OT, .. but has anyone seen a crontab editor

[L. V. Lammert]

that would be useable for basic sysadmin types (maybe something
nCurses)?

Found one tcl/tk at:
  http://www.linux-kheops.com/pub/vcron/vcronGB.html
but running an X tool would app would be too complicated for this
requirement.

TIA,

Lee

Re: OT, .. but has anyone seen a crontab editor

[bofh]

What kind of basic unix admin can't deal with

% export EDITOR=vi
% crontab -e

?

On 2/18/10, L. V. Lammert l...@omnitec.net wrote:
 that would be useable for basic sysadmin types (maybe something
 nCurses)?

 Found one tcl/tk at:
   http://www.linux-kheops.com/pub/vcron/vcronGB.html
 but running an X tool would app would be too complicated for this
 requirement.

   TIA,

   Lee



-- 
Sent from my mobile device

http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: Split by CUE

[Bryan]

On Thu, Feb 18, 2010 at 18:26, ropers rop...@gmail.com wrote:
 This is probably not what you want, but just for the heck of it: you
 can split MP3 and OGG files by CUE sheet --without reincoding-- using
 mp3splt-gtk: 
 http://www.openbsd.org/4.6_packages/i386/mp3splt-gtk-0.5.4p0.tgz-long.html
 I don't think mp3splt can split WAV files though.

 This page is heavy on the Linux, but it suggests that shntool and
 cuetool *may* be able to split WAVs by CUE sheet (I haven't actually
 tried this):

 http://aidanjm.wordpress.com/2007/02/15/split-lossless-audio-ape-flac-wv-wav-by-cue-file/

 http://www.etree.org/shnutils/shntool/
 http://freshmeat.net/projects/cuetools/

 However, you'd probably be the first to port shntool and chuetools to OpenBSD.

 On the plus side, there is an existing port for xmms-shn, a software
 by the same author as shntool: http://www.etree.org/shnutils/ -- and
 this *could* indicate that porting at least shntool *may* be easier
 than expected.

 regards,
 --ropers

 On 16 February 2010 10:50, Stas Miasnikou m...@gurtam.com wrote:

 What tools do you use to split .wav (.flac, .ape, etc) by CUE sheet?



When I was investigating abcde for FLAC creation, there was the
ability to make CUE files using mkcue, but our version didn't have
it in ports.
I was able to pull the source using subversion and install mkcue with
no issues.  I really need to sit down and create a port for it, since
it built very quickly.

http://code.google.com/p/abcde/source/checkout

yea, it's not perfect, but it works.

Re: OT, .. but has anyone seen a crontab editor

[L. V. Lammert]

On Thu, 18 Feb 2010, bofh wrote:

 What kind of basic unix admin can't deal with

 % export EDITOR=vi
 % crontab -e

 ?

Didn't say they were *unix* admins, .. no way I'd saddle some of these
guys with vi, much less setting the cron time parameters correctly.

Lee

Re: OT, .. but has anyone seen a crontab editor

[Robert Bronsdon]

On Fri, 19 Feb 2010 01:25:48 -, bofh goodb...@gmail.com wrote:


What kind of basic unix admin can't deal with

% export EDITOR=vi
% crontab -e


The kind that I don't want messing with crontab to begin with.


--
Using Opera M2: http://www.opera.com/mail/

LIMPE SEU NOME

[franciny-dalva]

LIMPE SEU NOME SEM PRECISAR PAGAR AS DIVIDAS
MANDE UM EMAIL E PACA INFORMACOES
limpeagora...@hotmail.com

Re: OT, .. but has anyone seen a crontab editor

[patrick keshishian]

On Thu, Feb 18, 2010 at 5:39 PM, Robert Bronsdon reash...@gmail.com wrote:
 On Fri, 19 Feb 2010 01:25:48 -, bofh goodb...@gmail.com wrote:

 What kind of basic unix admin can't deal with

 % export EDITOR=vi
 % crontab -e

 The kind that I don't want messing with crontab to begin with.

this reminds me of the saying about giving a man a fish vs teaching
him how to fish.

Re: OT, .. but has anyone seen a crontab editor

[Chris Bennett]

L. V. Lammert wrote:

On Thu, 18 Feb 2010, bofh wrote:

  

What kind of basic unix admin can't deal with

% export EDITOR=vi
% crontab -e

?



Didn't say they were *unix* admins, .. no way I'd saddle some of these
guys with vi, much less setting the cron time parameters correctly.

Lee


  

There is a simple and effective system for this level.

Have them write all their cron stuff in their crontab-let pad
Set crontab-alarm clock to go off at appropriate times
Type in commands from crontab-let pad.

Never fails

--
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
  -- Robert Heinlein

Re: mod_ldapvhost

[Corey]

On 02/18/2010 01:45 PM, Bret S. Lambert wrote:


This has been discussed enough on the list that you shouldn't have
any trouble figuring out how to shoehorn most anything, up to and
including a working Windows7 install, into the chroot environment.


Oh, is _that_ how they fixed UAC? :^)

They are charging $100-plus for an upgrade, and I bet they aren't 
kicking anything back to the project.

Re: OT, .. but has anyone seen a crontab editor

[bofh]

On Thu, Feb 18, 2010 at 10:00 PM, Chris Bennett 
ch...@bennettconstruction.biz wrote:


 There is a simple and effective system for this level.

 Have them write all their cron stuff in their crontab-let pad
 Set crontab-alarm clock to go off at appropriate times
 Type in commands from crontab-let pad.

 Never fails


Heh.  I did that at my last place.  You want your web pages to go out
automagically?  OK, develop it, and when you're done, stick it onto this
staging server.  At 2am each morning, an rsync from staging sever to my prod
server happens.  After that, it rsyncs to each of the prod webservers.
Throw in a couple of keys, and a year after I left, it was still working.
Except that no one dared touch it, because it just works  Even though I
documented everything.  But, they were click and drool monkeys, so


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.  --
Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: OT, .. but has anyone seen a crontab editor

[L. V. Lammert]

On Thu, 18 Feb 2010, patrick keshishian wrote:

 On Thu, Feb 18, 2010 at 5:39 PM, Robert Bronsdon reash...@gmail.com wrote:
 
  The kind that I don't want messing with crontab to begin with.

 this reminds me of the saying about giving a man a fish vs teaching
 him how to fish.

That would be like trying to teach a Bedouin to fish, .. not going to
happen.

Lee

Re: OT, .. but has anyone seen a crontab editor

[bofh]

On Thu, Feb 18, 2010 at 11:10 PM, L. V. Lammert l...@omnitec.net wrote:

 On Thu, 18 Feb 2010, patrick keshishian wrote: this reminds me of the
 saying about giving a man a fish vs teaching
  him how to fish.
 
 That would be like trying to teach a Bedouin to fish, .. not going to
 happen.


Please, Bedouins can fish, after all, they live near oasis which typically
have fish :)

-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.  --
Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: How to change pciide to ahci if there is no option for this in BIOS

[Tomas Bodzar]

Ok just small update. Friend enabled Soft Updates and there is quite
better speed now. What's is the real problem is Dolphin from KDE. In
Dolphin he can copy to another place in his LAN only about 3MB/s. With
scp in console or terminal under KDE he is able to get about 11MB/s.
BTW he tried to copy 2.4GB iso file from his laptop to server and
backward.

On Thu, Feb 18, 2010 at 8:51 PM, Chris Cappuccio ch...@nmedia.net wrote:
 This system is definitely too old for AHCI to be a chipset option.

 You could always add in a cheap SATA card with Silicon Image chip, the sili
driver supports NCQ...

 1-3MB/sec isn't near the max speed of any of your hardware, and you fail to
mention what you are doing while iostat is running to show this. B What is the
problem again?

 Tomas Bodzar [tomas.bod...@gmail.com] wrote:
 Hi all,

 my friend started using of OpenBSD on his server, but he has quite bad
 perfomance with his disk. Actually it's running under native mode :

 pciide1 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA,
 channel 0 configured to native-PCI, channel 1 configured to native-PCI
 pciide1: using apic 2 int 18 (irq 9) for native-PCI interrupt


 and there is no chance to switch it to AHCI. So he will install newer
 BIOS (there is no info about possible new option for it in release
 notes). So before additional tests it will be ok if it will be
 possible to switch to AHCI directly. Is there this option? From man
 page for pciide I can see that it's possible to set some options for
 some controllers over config so is it possible for AHCI too? Soft
 updates aren't enabled and I know that it will have impact on
 performance so he will enable it. Then it's only on AHCI/native, namei
 cache and combination of all HW involved.

 B  B  tty B  B  B  B  B  B cd0 B  B  B  B  B  B  wd0 B  B  B  B  B  B  cpu
 B tin tout B KB/t t/s MB/s B  KB/t t/s MB/s B us ni sy in id
 B  B 0 B  18 B 0.00 B  0 0.00 B 26.55 B 49 1.27 B  3 B 0 B 3 B 3 92
 B  B 0 B  89 B 0.00 B  0 0.00 B 14.93 214 3.12 B 13 B 0 21 14 53
 B  B 0 B  B 0 B 0.00 B  0 0.00 B 15.54 171 2.60 B 13 B 0 11 10 65
 B  B 0 B  B 0 B 0.00 B  0 0.00 B 15.91 161 2.51 B 16 B 0 12 10 62
 B  B 0 B  B 0 B 0.00 B  0 0.00 B 15.83 168 2.60 B 17 B 0 12 B 8 62
 B  B 0 B  B 0 B 0.00 B  0 0.00 B 15.87 165 2.56 B 14 B 0 14 B 8 64
 B  B 0 B 176 B 0.00 B  0 0.00 B 16.00 199 3.10 B 14 B 0 11 11 63
 B  B 0 B  B 0 B 0.00 B  0 0.00 B 15.84 179 2.77 B 11 B 0 14 14 60
 B  B 0 B  B 0 B 0.00 B  0 0.00 B 15.49 150 2.26 B 14 B 0 14 B 9 62
 B  B 0 B  B 0 B 0.00 B  0 0.00 B 14.24 130 1.81 B 13 B 0 12 B 5 69

 procs B  B memory B  B  B  page B  B  B  B  B  B  B  B  B  B disks B 
B traps B  B  B  B  B cpu
 B r b w B  B avm B  B  fre B flt B re B pi B po B fr B sr cd0 wd0 B int B 
sys B  cs us sy id
 B 0 5 0 B 19584 B 414996 B 508 B  0 B  0 B  0 B  0 B  0 B  0 B 54 1006
B 5732 1859 B 3 B 5 92
 B 0 5 0 B 19592 B 414988 B  25 B  0 B  0 B  0 B  0 B  0 B  0 116 8059 43686
14876 17 30 53
 B 1 5 0 B 19592 B 414988 B  B 7 B  0 B  0 B  0 B  0 B  0 B  0 B  0 4384
26122 9199 15 27 57
 B 0 5 0 B 19592 B 414956 B  11 B  0 B  0 B  0 B  0 B  0 B  0 B  0 4486
26236 9287 17 23 60
 B 1 5 0 B 19592 B 414972 B  34 B  0 B  0 B  0 B  0 B  0 B  0 B  0 4005
24506 8873 14 16 70
 B 0 5 0 B 19592 B 414988 B  B 7 B  0 B  0 B  0 B  0 B  0 B  0 B  0 4594
26552 9348 15 21 63
 B 0 5 0 B 19592 B 414948 B  B 7 B  0 B  0 B  0 B  0 B  0 B  0 B  0 4493
26480 9379 17 23 59
 B 0 5 0 B 19592 B 414948 B  B 7 B  0 B  0 B  0 B  0 B  0 B  0 B  2 4086
24244 8709 17 19 64
 B 1 5 0 B 19592 B 414964 B  11 B  0 B  0 B  0 B  0 B  0 B  0 B  0 4096
24023 8595 14 18 67
 B 0 5 0 B 19592 B 415012 B  34 B  0 B  0 B  0 B  0 B  0 B  0 B  0 4582
26632 9397 19 21 59







 OpenBSD 4.7-beta (GENERIC.MP) #409: Sun Feb B 7 17:09:00 MST 2010
 B  B  t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
 RTC BIOS diagnostic error 18memory_size,fixed_disk
 cpu0: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.40
GHz
 cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
 real mem B = 534806528 (510MB)
 avail mem = 509517824 (485MB)
 RTC BIOS diagnostic error 18memory_size,fixed_disk
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 09/29/04, BIOS32 rev. 0 @
 0xffe90, SMBIOS rev. 2.3 @ 0xf0450 (69 entries)
 bios0: vendor Dell Computer Corporation version A06 date 09/29/2004
 bios0: Dell Computer Corporation OptiPlex GX270
 acpi0 at bios0: rev 0
 acpi0: tables DSDT FACP SSDT APIC BOOT ASF!
 acpi0: wakeup devices VBTN(S4) PCI0(S3) USB0(S3) USB1(S3) USB2(S3)
 USB3(S3) PCI1(S5) MOU_(S3)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 199MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.40
GHz
 cpu1:

Re: OT, .. but has anyone seen a crontab editor

[Lars Nooden]

L. V. Lammert wrote:
 ... no way I'd saddle some of these
 guys with vi, much less setting the cron time parameters correctly.

Then you are far, far better off not letting them anywhere near the
server room if they are that unqualified.

Give them some time to learn and a training server, but make sure that
the probationary period does not pass.  If they're the typical
smart-as-a-box of hair Microsoft admin, you're better off getting them
back out the door ASAP.

If they turn out to be capable of learning then making heavy use of
custom formulas in sudoers can give them training wheels on the
production server while they get up to speed.

/Lars

Re: HIFN 7955 Support in OpenBSD 4.6 on AMD Geode LX800 System

[Liam Farr]

Thanks for all the responses,

With sysctl kern.usercrypto=0

The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes256 bytes   1024 bytes   8192 bytes
aes-128-cbc   4864.23k 7017.85k 7896.30k 8215.34k 8238.61k
aes-256-cbc   4589.43k 5356.36k 5956.85k 6008.82k 6070.19k


With sysctl kern.usercrypto=1

The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes256 bytes   1024 bytes   8192 bytes
aes-128-cbc193.60k  681.73k 2049.24k 6516.71k12357.51k
aes-256-cbc188.07k  656.00k 2048.68k 6462.63k12346.79k

Which is slower on the on the smaller blocks and faster on the large blocks as 
you said.

What I am really trying to achieve is decent throughput on SFTP file transfers, 
I have a NAS box connected to NIC vr1 and have mounted that via NFS to /nas, 
and then connect via SFTP on NIC vr0 and pull files out of /nas, I seem to 
achieve approx 2 megabytes / sec regardless of whether I have the HIFN chip 
installed in the mini PCI slot or not, and CPU usage also seems exactly the 
same.

Top with crypto card removed while SFTP transfer at 2200 KiB/s is running;

load averages:  1.66,  0.60,  0.33 02:21:37
20 processes:  1 running, 18 idle, 1 on processor
CPU states: 69.0% user,  0.0% nice, 17.2% system, 13.9% interrupt,  0.0% idle
Memory: Real: 9872K/46M act/tot  Free: 197M  Swap: 0K/256M used/tot

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
22278 root  580 3480K 2580K run   - 1:28 71.44% sshd
28432 root  -50  656K 1128K sleep getblk0:09  7.18% sftp-server
  968 _openvpn   20 1064K 2616K sleep poll  0:26  0.00% openvpn
21013 _syslogd   20  544K  720K sleep poll  0:05  0.00% syslogd
6090 root   20 3408K 2552K sleep select0:00  0.00% sshd
14650 root   20 1008K 1500K sleep select0:00  0.00% sendmail
16844 root  180  508K  460K idle  pause 0:00  0.00% ksh
2099 _ntp   20  704K  820K idle  poll  0:00  0.00% ntpd
30378 root  280  564K 1244K onproc- 0:00  0.00% top
7669 _pflogd40  472K  312K sleep bpf   0:00  0.00% pflogd
6463 root   30  564K  424K idle  ttyin 0:00  0.00% ksh
10777 _ntp   20  580K  868K idle  poll  0:00  0.00% ntpd
1 root  100  428K  308K idle  wait  0:00  0.00% init
18163 root   20  616K  808K idle  select0:00  0.00% cron
24412 root  180  556K  376K idle  pause 0:00  0.00% ksh
3300 root   20  296K  736K idle  select0:00  0.00% inetd
4900 root   20  508K  676K idle  netio 0:00  0.00% syslogd
8166 root   20  676K 1176K idle  select0:00  0.00% sshd


Top with crypto card installed while SFTP transfer at 2200 KiB/s running;

load averages:  1.66,  0.55,  0.22 02:27:41
20 processes:  1 running, 18 idle, 1 on processor
CPU states: 67.2% user,  0.0% nice, 16.5% system, 16.1% interrupt,  0.2% idle
Memory: Real: 9652K/47M act/tot  Free: 197M  Swap: 0K/256M used/tot

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
30075 root  640 3472K 2572K run   - 0:33 72.41% sshd
10999 root  -50  720K 1068K sleep pipewr0:03  7.08% sftp-server
2199 _openvpn   20 1052K 2476K sleep poll  0:01  0.00% openvpn
29905 _syslogd   20  600K  696K sleep poll  0:00  0.00% syslogd
19752 root   20 3368K 2548K sleep select0:00  0.00% sshd
10009 root  280  560K 1240K onproc- 0:00  0.00% top
21763 _ntp   20  664K  832K idle  poll  0:00  0.00% ntpd
22026 root  180  568K  436K idle  pause 0:00  0.00% ksh
1 root  100  432K  300K idle  wait  0:00  0.00% init
13567 root   20 1036K 1452K sleep select0:00  0.00% sendmail
9852 root  180  484K  368K idle  pause 0:00  0.00% ksh
16925 _ntp   20  540K  864K sleep poll  0:00  0.00% ntpd
12897 root   20  356K  732K idle  select0:00  0.00% inetd
7259 root   30  276K  736K idle  ttyin 0:00  0.00% getty
29710 root   20  508K  792K idle  select0:00  0.00% cron
18649 root   20  644K 1172K idle  select0:00  0.00% sshd
22471 _pflogd40  696K  316K sleep bpf   0:00  0.00% pflogd
30995 root   20  580K  664K idle  netio 0:00  0.00% syslogd


I expected that there would be some difference with the card in and out, if 
sshd was using the crypto shouldn't less CPU time be going to sshd and more to 
interrupt as its pushing more data onto the PCI bus?

Would the PCI bus be a limiting factor here? From what I understand PCI 
32-bit/33 MHz has a bus